Support Center > Search Results > SecureKnowledge Details
HTTPS Inspection FAQ Technical Level

Show Entire Article

  1. Which software blades support HTTPS Inspection?
    • Application Control
    • URL Filtering
    • IPS
    • Data Loss Prevention (DLP)
    • Anti-Virus
    • Anti-Bot
    • Threat Emulation
    • Content Awareness 

  2. Which operating systems support HTTPS Inspection?
    HTTPS Inspection is supported on Security Gateways running only Gaia OS and SecurePlatform OS. Also see Question 22 (re: GAiA Embedded).

  3. Does HTTPS Inspection require a license? Is it a software blade?
    HTTPS Inspection is not a blade and does not require a license. It is included free of charge with other blades.

  4. Are there legal implications to enabling HTTPS Inspection in my organization?
    There may be privacy and legal regulations on the use of this feature depending on the country in which you are located. Please review your local laws and regulations.

  5. Has Check Point cracked HTTPS? Could an attacker do this?
    Check Point has not cracked HTTPS or SSL. HTTPS is regarded as secure and is not known to have been cracked.

    For HTTPS traffic inspection, Security Gateways must examine the data as clear text. Encrypted data sent by a client to a web server is:

    1. Intercepted by the Security Gateway and decrypted.
    2. Inspected by the blades defined by the policy.
    3. Encrypted again and sent to the designated web server.

    The Security Gateway acts as an intermediary between the client computer and the secure web site.
    The Security Gateway behaves as the client with the server, and as the server with the client using certificates.

  6. Why do I get certificate warnings in the browser after turning on HTTPS Inspection?
    A dedicated CA signs certificates, and the Security Gateway presents these certificates to the client.
    Before the user installs that CA certificate, any site accessed by the browser will produce warnings.

  7. How can I make PCs trust the gateway's CA certificate?

    To make the PC trust the gateway CA certificate:

    1. Export the CA certificate from the SmartDashboard (on the HTTPS Inspection window of the Security Gateway, or on the HTTPS Inspection > Gateways pane).

    2. Install the certificate on the user's PC:

      Manually put the certificate file in the user's PC. Click the file and follow the wizard instructions to add the certificate to the trusted root certificates repository on client machines.

      Use GPO or group policy to distribute the certificate to a large group of users. See the documentation for more details.

  8. Does HTTPS Inspection use the Security Management server's Internal CA to issue certificates?
    No. HTTPS Inspection uses a dedicated CA.

  9. Is there a performance impact when enabling HTTPS Inspection on the gateway?
    HTTPS Inspection requires the Security Gateway to perform extra SSL work:
    • SSL handshake with the secure web site and with the client browser.
    • Decrypt & re-encrypt all SSL traffic, to be able to inspect it.

    This has some performance impact on SSL capacity and latency, but in normal situations the end user should not be aware of it.

  10. Why are Extended Validation (EV) certificates displayed as regular certificates in the browser?
    When HTTPS Inspection is used, the browser sees server certificates, signed by the gateway, rather than by the original trusted CA. To get the EV indication in the browser, the server certificate must be signed by a specially-designated Certificate Authority. The list of those CA certificates is hard-coded into the browser, and cannot be modified by the user.

  11. How are the CAs in the list of Trusted CAs chosen? Is the list updated?
    The list of certificate authorities is taken from the Windows system stores. It is updated according to Microsoft updates.

  12. Does HTTPS Inspection check for CRLs? What about OCSP?

    Yes. By default, the CRL check is done on the certificate.
    The check is done without holding the connection, so the first time a user accesses a specific site, it will pass without CRL validation, and the next connection will be validated.
    By default, if the CRL can't be reached, the certificate is considered to be trusted (this is also the default behavior of the common browsers).

    If you wish to enforce CRL fetch, and to mark the certificate as untrusted, if the CRL can not be reached, you can use GuiDBedit Tool to change the value of attribute "drop_if_crl_cannot_be_reached" to "true" (Tables -> "Other" -> "SSL Inspection" table -> "general_confs_obj" Object).

    OCSP is supported from R80.10 and from Jumbo Hotfix Accumulator for R77.30 (Take 266).

  13. Does HTTPS Inspection work on protocols other than HTTPs?
    No, currently it is only possible to inspect HTTPS traffic.

  14. Can I replace the gateway's CA with a different CA?

    Yes, you can import any CA certificate to be used for HTTPS Inspection.

    To import a CA certificate (refer to sk108641):

    In R7x SmartDashboard:

    1. Connect with SmartDashboard to Security Management Server / Domain Management Server. 
    2. Go to Application & URL Filtering tab - on the left, open Advanced - open HTTPS Inspection - click Gateways.
    3. In the CA Certificate section, click the Renew Certificate button - click Import certificate from file... (if no certificate is created yet, click Create first).
    4. The file to import must be a p12 file containing self-signed CA or subordinate CA.

    In R8x SmartConsole:

    1. Connect with SmartConsole to Security Management Server / Domain Management Server.

    2. Go to the list of Security Gateways with enabled HTTPS Inspection:

      1. Open HTTPS Inspection configuration in the Legacy SmartDashboard (select any of these options):

        • On the left Navigation Toolbar, click the MANAGE & SETTINGS - in the upper pane, click on the Blades - in the middle pane, scroll down to the HTTPS Inspection section - click the link Configure in SmartDashboard...:

        • On the left Navigation Toolbar, click the SECURITY POLICIES - in the left pane, in the Shared Policies section, click the HTTPS Inspection - in the middle pane, click the link Open HTTPS Inspection Policy in SmartDashboard...:

      2. In Legacy SmartDashboard, go to the HTTPS Inspection tab - in the left tree, click the Gateways:

    3. In the lower CA Certificate section, click on the Renew Certificate button - choose the desired option:

      • Renew Certificate...

      • Import Certificate from file...

    4. In the lower CA Certificate section, click on the Export... button and save the certificate.

      Install this certificate as a valid Root CA on host computers in your organization (refer to the relevant documentation for the operating system on those computers - e.g., for Windows OS, refer to Microsoft documentation).

    You can also import a certificate signed by hash algorithm SHA-256.

  15. Is it possible to perform selective inspection - just on specific sites, categories or users?
    Yes, you can inspect only specific sites or URL Filtering categories (both require a URL Filtering Blade license).

  16. Why do I sometimes get the gateway CA even for sites that are not configured to be decrypted?
    To filter out sites from HTTPS Inspection, a mapping between the site IP to its correlating domain is needed. The mapping is created based on the certificate DN served by the site. This requires us to perform HTTPS Inspection on any accessed SSL site, at least once. After this mapping is in place, no further inspection will occur (according to the Rule Base). -- This is the underlying reason for the "refresh" success.
    Note: This behavior is only relevant if there is no proxy between the gateway and the Internet. If there is a proxy, we don't perform full inspection.

  17. What information from the encrypted traffic is logged?
    No additional information is logged aside from the regular information logged per Blade. The administrator must have special permissions to view this information.

  18. I read in the news that someone conned the "xyz" CA to give them certificates for the "abc" web site. What should I do?
    It is possible to use the GUI to remove the victim CA from the list of trusted roots. But this is not recommended, as it would damage connections to other customers of that CA.

    Another option is to add the specific certificate serial number to the Black List on the SmartDashboard.
    This approach has been successfully used by all browser vendors in March 2011, when Comodo was conned into issuing multiple certificates for popular web sites.

    Check Point will publish regular updates to the list of CAs, and in the future also to the black-list of known stolen certificates.

  19. Which SSL/TLS versions are supported by HTTPS Inspection?
    SSLv3 and TLSv1 (also known as SSLv3.1). Also, TLSv1.1 and TLSv1.2.
    TLS 1.3 traffic is supported in R81 in USFW. 

  20. Why isn't SSLv2 supported?
    SSLv2 is known to be susceptible to several attacks, and as such, it is not supported.
    Refer to sk108654 - How to control support for SSLv2 handshake in HTTPS Inspection.

  21. Which ciphers are supported by SSL inspection?

  22. On which platforms/appliances is HTTPS Inspection supported?
    For Gaia Embedded:

    • HTTPS Inspection is supported in both locally and centrally managed appliances on all platforms deployed with R8x based firmware (1500 series and higher).

    • On Centrally managed 1100 / 1200R / 1400 HTTPS inspection is supported in R77.20-based firmware.

    • On Locally managed 700 / 900 / 1400 series HTTPS inspection is supported since R77.20.70.

    HTTPS Inspection is not supported on Windows OS.

  23. Does HTTPS Inspection support 3rd party wildcard certificates (like *

  24. Why after enabling HTTPS Inspection some resources that use HTTPS protocol fail to connect?

  25. Is Client Certificate authentication supported by HTTPS Inspection?


Related documentation:

  • Firewall Administration Guide (R76, R77) - Chapter "Defining an Internet Access Policy" - "HTTPS Inspection"

  • Application Control and URL Filtering Administration Guide (R76, R77) - Chapter "Managing Application Control and URL Filtering" - "HTTPS Inspection"

  • Data Loss Prevention Administration Guide (R76, R77) - Chapter "Installation and Configuration" - "HTTPS Inspection"

  • IPS Administration Guide (R76, R77) - Chapter "Monitoring Traffic" - "HTTPS Inspection"

  • Threat Prevention Administration Guide (R77) - Chapter "Using Threat Prevention with HTTPS Traffic"

  • Anti-Bot and Anti-Virus Administration Guide (R75.40, R75.40VS) - Chapter "Managing Anti-Bot and Anti-Virus" - "HTTPS Inspection"


Related solutions:

Give us Feedback
Please rate this document